VerfiyClient in CFC function for Ajax calls - Myth or Top Secret?

Report · Apr 11, 2013

In the cffunction tag in a CFC function that returns data to an Ajax client, specify a verifyClient attribute with a value of yes.

The VerifyClient function and attribute tell ColdFusion to require an encrypted security token in each request. To use this function, enable client management or session management in your application; otherwise, you do not get an error, but ColdFusion does not verify clients.

Enable client verification only for code that responds to ColdFusion Ajax client code, because only the ColdFusion Ajax library contains the client-side support code. Enabling client verification for clients other than ColdFusion Ajax applications can result in the client application not running.

Before you ask, session and client management is on, cfadmin is set up properly, I am logged in, I display my sessionid and urltoken at bottom of pages on development server, all is good, exept this of course.

AJAX call:

$.ajax({

url: 'somecrap.cfc?method=validateForm&' + Math.random() ,

data: someparameters,

type: 'POST',

dataType: 'json',

async: false,

cache: false

})

CFC function header:

Result:

You must have a valid login to access this page.

Client verification failure.

I hope someone can asist, otherwise I will have to rewrite all our applicaitons not use these types of Ajax calls any longer, as they are easily exploited by even the 'novice' hacker now-a-days.

Report · Apr 11, 2013

The VerifyClient functionality requires a special token be sent along with the ajax request, you will find that when you use CF's builtin ajax stuff it will send the client verification token for you automatically (eg cf ajax proxy). In your example you are using jquery to do the ajax call.

--

Pete Freitag

Foundeo Inc.

Report · Apr 11, 2013

Yes, I am sorry if was not clear that it requires the session token be sent. There are several examples on the internet using JQuery Ajax, of course none will work.

What I was hoping for was a way to pass the CF token via JQuery Ajax, using serializaton or something.

Some developer coded everything he did using jQuery Ajax instead of using the simple to use <cfajaxproxy> or even the cryptic ColdFusion.AjaxProxy.invoke method.

I really do not want to rework everything.

If this is not possible to send other than using CFAJAX, then I hope someone would update the documentation.

Report · Apr 11, 2013

CLFraser wrote:
Some developer coded everything he did using jQuery Ajax instead of using the simple to use <cfajaxproxy> or even the cryptic ColdFusion.AjaxProxy.invoke method.

Some very wise developer. CF's Ajax tools suck. jQuery doesn't. You don't need to "rework" anything, you just need to add your own client verification to prevent XSRF attack. Note that verifyClient does NOT replace havign proprer authenticated access via proper session management, it only ensures that the request is being made from the place you expect it to be made from.

jason

Report · Apr 11, 2013

Hey wise---,

Are saying in the CFC Functions that are called remotely from NON-CFAJAX, since verifyclient does not work, I need to verify the session using something like this:

<cfif NOT someOtherCFCiHadToMake.isGoodCall()>

<cfreturn false/>

</cfif>

Which the function isGoodCall would check for valid session via cookie contents?

like CFID, CFTOKEN and jsessionid

Or would it be better in case they spoof the cookie somehow to have the function isGoodCall simply check to see if a session variable that is set with a valid login isDefined?

Is that as secure as using the built in cfajaxproxy which passes the current client settings with each call?

-Curtis